Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in NodeBB

#VU66746 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in NodeBB

Published: 2022-08-24

Vulnerability identifier: #VU66746

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36045

CWE-ID: CWE-338

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NodeBB
Web applications / Forum & blogging software

Vendor: NodeBB

Description

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to usage of weak pseudo-random number generator within the utils.generateUUID function. A remote attacker can use multiple invocations of the password reset functionality to correctly calculate the reset code and take over an arbitrary account on the website.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

NodeBB: 1.0.0 - 2.0.0

External links
http://github.com/NodeBB/NodeBB/security/advisories/GHSA-p4cc-w597-6cpm

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arbitrary account takeover in NodeBB